1
PublicDateAtUSN: 2016-11-11
2
Candidate: CVE-2016-7055
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055
6
https://www.openssl.org/news/secadv/20161110.txt
7
https://www.openssl.org/news/secadv/20170126.txt
8
https://usn.ubuntu.com/usn/usn-3181-1
10
There is a carry propagating bug in the Broadwell-specific Montgomery
11
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
12
handles input lengths divisible by, but longer than 256 bits. Analysis
13
suggests that attacks against RSA, DSA and DH private keys are impossible.
14
This is because the subroutine in question is not used in operations with
15
the private key itself and an input of the attacker's direct choice.
16
Otherwise the bug can manifest itself as transient authentication and key
17
negotiation failures or reproducible erroneous outcome of public-key
18
operations with specially crafted input. Among EC algorithms only Brainpool
19
P-512 curves are affected and one presumably can attack ECDH key
20
negotiation. Impact was not analyzed in detail, because pre-requisites for
21
attack are considered unlikely. Namely multiple clients have to choose the
22
curve in question and the server has to share the private key among them,
23
neither of which is default behaviour. Even then only clients that chose
24
the curve will be affected.
27
mdeslaur> only affects 1.0.2 and 1.1.0
34
upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=2fac86d9abeaa643677d1ffd0a139239fdf9406a (master)
35
upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=57c4b9f6a2f800b41ce2836986fe33640f6c3f8a (1.0.2)
36
upstream_openssl: needs-triage
37
precise_openssl: not-affected (1.0.1-4ubuntu5.38)
38
trusty_openssl: not-affected (1.0.1f-1ubuntu2.21)
39
vivid/ubuntu-core_openssl: not-affected (1.0.1f-1ubuntu11.6)
40
vivid/stable-phone-overlay_openssl: not-affected (1.0.1f-1ubuntu11.6)
41
xenial_openssl: released (1.0.2g-1ubuntu4.6)
42
yakkety_openssl: released (1.0.2g-1ubuntu9.1)
43
devel_openssl: released (1.0.2g-1ubuntu11)
46
upstream_openssl098: not-affected
47
precise_openssl098: not-affected
48
trusty_openssl098: not-affected
49
vivid/ubuntu-core_openssl098: DNE
50
vivid/stable-phone-overlay_openssl098: DNE
51
xenial_openssl098: DNE
52
yakkety_openssl098: DNE